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DETAILED ACTION 
Response to Amendment 

This office action is in response to amendment filed on 07/15/04. Original application 
contained Claims 1-26; therefore, presently pending claims are 1-26. 

Response to Arguments 

Applicant's arguments filed 4/5/04 have been fiiUy considered and are found persuasive. 
The delay in citation of the newly discovered prior art is regretted. 



Claim Rejections - 35 USC§103 
The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1. Claims 1-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over (U.S. Patent 
6,574,666 Bl) in view of O'Brien et al. (6,658,571 Bl). 

In reference to claim 7, Dutta suggests a firewall device having a plurality of 
communication interfaces, a firewall system comprising: a) a firewall core connected to each 
said communication interface (column 4 lines 63-66); said firewall core configured to receive 
data packets from said interfaces for inspection (column 2 lines 60-65). 

The firewall core utilizes a Ubrary of rules that can be downloaded from a database 
(column 3 hnes 15-25); therefore Dutta discloses receiving security information from a separate 
subsystem, the database. Dutta does not disclose the separate subsystem consisting of at least 
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one inspection module coupled for communication to said firewall core, said inspection module 
configured to provide protocol inspection of data packets, said inspection module is further 
configured to be installed during the operation of the firewall system. 

However, O'Brien disclose^the separate subsystem consisting of at least one inspection 
module coupled for communication to the user space, said inspection module configured to 
provide protocol inspection of data (column 3 lines 39-56), said inspection module is further 
configured to be installed during the operation of the system (column 3 lines 56-64). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use security modules as in O'Brien to provide protocol inspection in the system 
of Dutta. One of ordinary skill in the art would have been motivated to do this because security 
information that is application and resource specific which would reduce the damage that 
malicious software can cause in the event that malicious software is accidentally executed 
without additional hardware, or modification to the individual software applications or the 
underlying operating system. 

In reference to claim 6, Dutta suggests a firewall device having a plurality of 
communication interfaces, a firewall core configured to be coupled to at least one inspection 
module, said firewall core comprising: a communication unit operatively coupled to the 
communication interfaces (column 4 lines 63-66). 

The firewall core in the system of Dutta utilizes a library of rules that can be downloaded 
fi"om a database (column 3 lines 15-25); therefore Dutta discloses receiving security information 
fi-om a separate subsystem, tfie database. However Dutta does not disclose a set of callback 
functions, retrieved fi'om said inspection module, each said function providing communication 
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between said firewall core and said inspection module. In addition the firewall core disclosed by 
Dutta is not configured to monitor a memory to determine when a new inspection module is 
loaded into said memory (column 5 lines 15-27). 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27). In addition the system of O'Brien is configured to monitor a memory to 
determine when a new inspection module is loaded into said memory (column 5 lines 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 10, Dutta suggests a firewall device having a plurality of 
communication interfaces and a firewall core coupled to the communication interfaces, an 
inspection module to configured to couple with the firewall core, said inspection module 
comprising: a) an inspection unit configured to inspect and authorize data packets (column 5 
lines 1-12), 

The firewall core in the system of Dutta utilizes a library' of mles that can be downloaded 
from a database (column 3 lines 15-25); therefore Dutta discloses receiving security information 
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from a separate subsystem, the database. However Dutta does not disclose a set of callback 
functions, retrieved from said inspection module, each said function providing communication 
between said firewall core and said inspection module. In addition the system disclosed by 
O'Brien is configured to monitor a memory to determine when a new inspection module is 
loaded into said memory (column 5 lines 15-27). 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27). In addition the firewall core disclosed by Dutta is not configured to 
monitor a memory to determine when a new inspection module is loaded into said memory 
(column 5 Unes 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claims 15 and 21, Dutta suggests a firewall device having a firewall 
system including a firewall core, a method for adding protocol knowledge to the firewall system 
during runtime (column 3 lines 14-25). 
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However Dutta does not disclose a) loading an inspection module comprising new 
protocol inspection knowledge and a function table having a set of callback functions; to b) 
notifying the firewall core of said inspection module (column 3 lines 26-33); and c) 
communicating said set of callback functions to said firewall core. 

O'Brien discloses a) loading an inspection module comprising new protocol inspection 
knowledge and a function table having a set of callback functions (column 5 lines 1-27); to b) 
notifying the security master of said inspection module (column 5 lines 12-27); and c) 
communicating said set of callback functions to the security master (column 5 lines 27-45). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software appUcations or 
the underlying operating system. 

In reference to claim 2, wherein said inspection module is installed into a memory space 
monitored by said firewall core (Dutta column 4 lines 41-62). 

In reference to claim 5, wherein said inspection module further comprises callback 
functions, said functions communicated to said firewall core and providing communication 
between said firewall core and said inspection module. 
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Dutta does not expressly disclose the use of callback functions which communicate to the 
firewall core and providing communication between the firewall core and said inspection 
module. 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27) 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that ntialicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 4, wherein said inspection module is further configured to indicate 
to said firewall core for which data packets said inspection module is configured to provide 
inspection (Dutta column 4 line 66 to column 5 line 12). 

In reference to claim 5, wherein said data packets intercepted by said firewall core further 
includes session information comprising address and port data, said firewall core further 
configured to map said session information to corresponding inspection modules (Dutta column 
2 line 60 to column 3 line 5 in combination with colnmji 4 lines 32-50). Packet Filter Router 
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rules are based on address and port information, therefore, the address and port information 
obviously must be contained within the packets. 

In reference to claim 7, wherein said communication unit is further configured to 
intercept network data communicated via said network interfaces (Dutta column 3 Hues 46-65). 

In reference to claim 8, further comprising a session mapping unit, said data packets 
intercepted by said firewall core further including session information comprising address and 
port data, said firewall core further configured to map said session information to corresponding 
inspection modules into a session mapping and store said session mapping into said session 
mapping unit (Dutta column 2 line 60 to column 3 line 5 in combination with column 4 Hues 32- 
50). Packet Filter Router rules are based on address and port information, therefore, the address 
and port information obviously must be contained within the packets. 

In reference to claim P, wherein said communication unit is further configured to 
communicate packets between said communication interfaces and said inspection module for 
inspection (Dutta column 4 line 63 to column 5 line 12). 

In reference to claim 11; wherein said inspection unit is further configured to be installed 
during the operation of the firewall core. The rules retrieved by the filter processor to update the 
filter processor are retrieved during the operation of the filter processor. 

In reference to claim 13, the firewall system of claim 1, wherein said inspection module 
is further configured to indicate to said firewall core for which data packets said inspection 
module is configured to provide inspection (Dutta column 5 lines 1-12). 

In reference to claim 14, where in said inspection unit is further configured to receive and 
inspect packets communicated fi*om the firewall core (Dutta column 5 lines 5-12). 
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In reference to claimil6 and 22, fixrther comprising enabling said inspection module, 
prior to communicating said set of callback function to said firewall core. The new information 
is used to filter packets therefore the new rules, provided by the filter processor, are in an 
enabled state similar to the state of the inspection module. • 

In reference to claimsl? and 23, further comprising inspecting of packets by said 
inspection module, said packets communicated from the firewall core to said inspection rriodule 
(Dutta column 5 lines 1-12). 

In reference to claimsl9 and 25, wherein said notifying the firewall core comprises 
transmitting a signal to the firewall core to indicate the installation of said inspection module 
(Dutta column 3 lines 25-32). 

In reference to claims20 and 26, further comprising indicating by said inspection module 
for which data packets said inspection module provides inspection (Dutta column 5 lines 1-12). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paula W Klimach whose telephone number is (571) 272-3854. 
The examiner can normally be reached on Mon to Thr 9:30 a.m to 5:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for pubhshed applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpubUshed 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

PWK 

Tuesday, November 02, 2004 
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